Author
Topic: The Open Source debate (Read 11221 times)

Today, in a meeting at work, I mentioned that one of our senior doctors was looking at an open source product that might be a worthy replacement for the aging and soon-to-die (it won't run under Win7) clinical information system we use.

One of the IT attendees said straight away that he wouldn't allow anything open source running in our environment. Why? I asked. "Well, it's insecure. If the code's available to anyone, then anything could happen. A security nightmare."

Aghast as I was, I had no instant answer. I mumbled something incoherent about open source encryption tools that probably nobody there gave any credence to at all and the conversation moved on.

We all know that viewpoint's nonsense. But I could really use a short, understandable-by-idiots, refutation of the "common sense" view that open source software is "obviously" a security disaster waiting to happen.

The fact that 80% of the internet is running on open source software probably won't cut it. The idiots all "know" that the internet is a dangerous place and clearly everything's held together by string, cobwebs, eggstains, a little glue and the determined efforts of the only software houses worth mentioning, Symantec and Microsoft, and trying to tell them otherwise needs something solid, instant and understandable.

So does anyone have anything helpful -- and preferably unarguable -- I can throw at them?

The most likely things that could happen would be the whole community could (a) test in a variety of situations and configurations, (b) find and test edge conditions in real life, (c) suggest improvements in workflow or efficiency -- and have a chance to suggest the code for it, (d) find bugs -- and have a chance to suggest the code to fix them, ...

A real security nightmare would be if you use a closed source program and depend on it, and the company goes out of business (or gets litigated out of existence, or destroyed by a meteorite, or inserts a back door for the NSA or the Russian Mafia, or...), and you have no choice but to convert to another system at great expense and pain. If that's even possible.

"Security through obscurity" is not an effective strategy. Backdoors are only workable in closed systems.

You're probably facing a sysadmin that has invested an entire career in the systems and OS you're currently using. These types will fight tooth and claw to keep anything they don't already know out of the place they're working rather than upgrade their skill set or think outside their box.

Clearly, the number of exploits against closed source software is evidence that source code is not required in order for software to be exploited. I believe that the majority of exploits are found not by source code review, but by finding bugs and using various debugging techniques to determine the exploit.

As Dr. Ira Levy, technical director with the CESG - a department of the UK's GCHQ intelligence agency that advises UK government on IT security, is quoted as saying in a ZDNet article:

Bad people can look at the source code, so it's less secure

"Again that's nonsense. If I look at how people break software, they don't use the source code. If you look at all the bugs in closed source products, the people that find the bugs don't have the source, they have IDA Pro, it's out there and it's going to work on open and closed source binaries — get over it."

How insecure a piece of software is isn't generally a function of whether the source is available or not - it's a function of the quality and complexity of the software. There is insecure closed source software and there's insecure open source software. Similarly, there's secure software of both types. Projects and organizations that take security seriously will have secure software, whether or not they release the source. Also, less complex software will generally be more secure than complex software.

An example of a large open source project with complex software that is considered very secure is OpenBSD. See http://en.wikipedia....ty_and_code_auditing for information about how security issues have been dealt with in the past, including bogus claims that the FBI inserted backdoor code into the system. I wonder if MS or Symantec software have any backdoors? If your IT guy asks those companies about that, can he believe the answer? If there are backdoors, I believe that crackers will likely eventually find them as exploits.

The popularity of software will be a factor in how much effort is put into exploiting it. I'd guess that an open source clinical information system isn't high on exploiters' target lists (though given the sensitivity of health care information, I might be wrong about that. And certainly security should be taken seriously for such an application, regardless of how many people might be looking to exploit it).

And just because an organization is large and trusted, doesn't mean that they will necessarily always take proper care with security. The recent theft of a user database from Adobe is an example. Not only did Adobe screw up in letting the database get downloaded (I have no idea on what happened to allow that), but it's clear from analysis of the file that Adobe didn't even follow the simplest of standard practices in storing passwords in the database: http://nakedsecurity...yptographic-blunder/ Adobe is a rather large vendor of closed source software - are they as careless with security in those products?

Finally, is your organization so locked down that such software as Firefox, Chrome, Java, Linux, Android devices, or Apple computers aren't found anywhere? No use of scripting languages like Perl, Python, or Ruby? All of those are open source to at least some degree. Does your organization use ASP.NET? The source is openly available: http://aspnet.codeplex.com/

Another angle is the 'security' of your business workflow and data. You say that you're looking into the replacement software because it won't run on Win 7. If the software were open source, your organization would at least have some opportunity to decide if the effort to fix the software to run on Win 7 was worthwhile. With closed source software that decision is out of your hands if the vendor decides not to do it (or if the vendor no longer exists). In that case you're stuck with running the software on older systems (which may introduce it's own set of security issues) or moving to different software.

If the software were open source there's no guarantee that making it run on Win 7 would be easy or worthwhile, but you'd at least be able to make that decision for yourselves on the technical merits. Businesses should consider being locked out of their data or systems a form of risk similar to security risks. After all, problems with either cost the business money to address.

I prefer not to debate or argue in workplace environment. People with higher position tend to project bull** on the people who work under them. I have heard a lot of crap from managers and tech leads regarding trend changing and advocacy for paid software or closed source software.

e.g. "Java is outdated, nobody uses java so we should use them", "open source is costly than microsofts stuff", "open source is not easy", "open source is not secure", "norton software doesn't hang on any computer, it is good at security", "php is crap, rails is good", "linux is hard to use, windows is easy" and list goes on.

Arguments from those who promote MS stuff or expensive software is very thin and purely on the basis of personal interest.

There are many reasons with which we can argue on such stuff. We can make things work as simple as possible and get the work done. But some people hold presumptions and just want to do the work they find it better. No amount of debate can satisfy Pro-MS or Pro-paid software person from accepting open source or free software than "cost" argument.

Open source projects if gained popularity, turn themselves into foundation and become more active for security and updates. Only the projects with less popularity and lack of organization tend to be easy target for security issues. Otherwise popular open source projects are quickly maintained on security and features like - Mozilla, WordPress, Debian etc etc. The amount of work done on these projects is much higher than paid software when it comes to security.

I switched my workflow on linux 2 years ago and working just fine. No virus, no constant rebooting. It took just few days of getting used to and managed to work just fine on linux. The beauty of open source and free software is you don't have to defend it. As it saves you money and time on many things, adoption becomes much easier. Sometimes debate is pointless.

"Security through obscurity" is not an effective strategy. Backdoors are only workable in closed systems.

You're probably facing a sysadmin that has invested an entire career in the systems and OS you're currently using. These types will fight tooth and claw to keep anything they don't already know out of the place they're working rather than upgrade their skill set or think outside their box.

It's a bit of a pitty that you had to mention the name of the product and it being open-source.The only way you'll probably get the application on board is from a functional viewpoint: your users should tell that stubborn/short-sighted IT-guy that they want/need that application to be able to do their work properly, and that IT needs to provide it to them to be able to stay in business, instead of the other way around.This is of course based on the assumption that a functional shoot-out has already been done The fact that it's open source should not be part of the equasion.

^ very good points for getting any sort of software into an organization. Also not bringing it up for the first time in a meeting, but getting buy in from IT into the process through backchannels (dropping by and having conversations about X, etc) helps also.

Now Now, we both know that no properly seasoned BOFH is going to automatically accept any decision impacting their systems without a bit of probing to gauge how vested who is in the proceedings.

We just went live with new BI software last week, but while I didn't mind the change...because the old system really did suck. But I fought tooth and nail to keep the systems bolted to the floor at eye level instead of in the cloud where the IT fashion tragic lemming are flocking (to their deaths I hope) by the "thousands" (according to the vendors inflated sales graph).

Actually, it's both, truth be told. But they should work hand in hand and not be based on hidebound mentalities on either side. That's why you have a review board in the best cases rather than a single individual. And it's not just about which one you like, but compelling business need.

Mm. Management are the ones who are peppering the place with Bloody iPads and demanding Bring-Your-Own-Disaster sooner than the infrastructure can support it. Management can't make decisions if they're not informed of the options; they also can't be informed if they have their fingers stuck in their ears because they're not smart enough to understand what they're being told -- or prefer to believe that a deus ex machina will materialise at the 11th hour.

If anyone knows how to make a 16-bit netbios stack appear in Win7, they'll get their deus ex machina. But so far...

Management are the ones who are peppering the place with Bloody iPads and demanding Bring-Your-Own-Disaster sooner than the infrastructure can support it. Management can't make decisions if they're not informed of the options; they also can't be informed if they have their fingers stuck in their ears because they're not smart enough to understand what they're being told -- or prefer to believe that a deus ex machina will materialise at the 11th hour.

+10 - Love your definition of BYOD ... Seriously man, I'm friggin' stealing it! I wish I had a nickel for every time the brass got back from some seminar all wound up over some new fad technology trend that they wanted to throw money at ... That didn't friggin work. I don't care if it'll sell "like hot cakes" if it's only going to require us to hire 6 more people to handle the load of people screaming at us...Then it's a stupid idea.

Problem is, that's a VM that needs its own antivirus, distribution, individual configuration and an entry in the AD in order to see printers and the guys who worry about installing this stuff reckon it'll be a major job to distribute and maintain (my view: no harder than it is now, but there y'go) and in order to keep the machine happy, they also reckon that a new 64-bit machine with a spare couple of gig of RAM to give to the VM is about the minimum and the older kit around the place would all have to be upgraded, so vast costs all round.

The encapsulated problem and the only known solution is here and it appears that Sybase don't care enough to write an update to the relevant program With XP going out of support and increasingly not available on new kit, we have a bit of a problem.

Management are the ones who are peppering the place with Bloody iPads and demanding Bring-Your-Own-Disaster sooner than the infrastructure can support it. Management can't make decisions if they're not informed of the options; they also can't be informed if they have their fingers stuck in their ears because they're not smart enough to understand what they're being told -- or prefer to believe that a deus ex machina will materialise at the 11th hour.

+10 - Love your definition of BYOD ... Seriously man, I'm friggin' stealing it! I wish I had a nickel for every time the brass got back from some seminar all wound up over some new fad technology trend that they wanted to throw money at ... That didn't friggin work. I don't care if it'll sell "like hot cakes" if it's only going to require us to hire 6 more people to handle the load of people screaming at us...Then it's a stupid idea.

Yup. And speaking as an unrepentant BOFH I find they're almost as annoying as the IT types who go into a meeting and make a bonehead declaration that open source software is a security nightmare purely by virtue of the fact it is open. Especially when they should know better. (And to think these guys get paid the big bucks!)

So c'mon guys...we do this stuff for a living. Bash management if you will. But we still have far too many outdated and clueless techno-wankers living under our own roof in the bowels of IT. Let's stop covering for these morons.

Today, in a meeting at work, I mentioned that one of our senior doctors was looking at an open source product that might be a worthy replacement for the aging and soon-to-die (it won't run under Win7) clinical information system we use.

One of the IT attendees said straight away that he wouldn't allow anything open source running in our environment. Why? I asked. "Well, it's insecure. If the code's available to anyone, then anything could happen. A security nightmare."

Aghast as I was, I had no instant answer. I mumbled something incoherent about open source encryption tools that probably nobody there gave any credence to at all and the conversation moved on....

"Oh, remember that free day you all got two months ago? I already replaced it. But I copied the front end exactly, so you never noticed, and remember how much y'all said it was better than ever? Exactly."

But yes. Fantasy land.

"...and the conversation moved on."

Bingo. Because there was no secondary higher level Mgt proponent who said "hold on, let's look at this!"

So sounds to me like there's a bit of networking to do before some Big Meeting. Because Joe from the Controller's Office might have chipped in, "ya know, he's got a point, it does X and Y and Z that we can't do, and it would save five grand per audit..."

But even a General Manager could have called a halt and said "let's go into this a few minutes. Why is it insecure? Do we assume Windows is safer?"